%% Attack scenarios
\section{Attack scenarios}
This section will explain a few of the scenarios in which the attacks described
previously can be utilized.

\subsection{Call wire-tapping}
For an attacker to be able to eavesdrop a conversation in real-time, he must
know the encryption key. Once he obtains this key, he can tap voice as well as
data communication, including video and picture messages sent over GPRS.

Real-time eavesdropping can be performed by using the passive instant
ciphertext-only attack on $A5/2$. However, when other encryption algorithms are
used, the man-in-the-middle attack described earlier is required.

Alternatively, the attacker can record a few encrypted conversations at some
point in time, making sure that he knows the unencrypted $RAND$ value, and then
later use a fake base station to attack the victim's mobile phone and retrieve
$K_c$. Once $K_c$ is obtained, the attacker can decrypt the previously recorded
encrypted conversations whenever he wishes to do so.

\subsection{Call hijacking}
An attacker could hijack a conversation, even after the network has performed
authentication with the victim's phone, by getting a hold of $K_c$. He could
obtain this by using the passive attack from before, and then take over the
conversation by making sure he is transmitting a stronger radio signal than his
victim's phone.

Call hijacking could also be done after mounting a man-in-the-middle attack
discussed earlier. Once executed, the attacker could freely choose when to take
over the conversation.

\subsection{Altering of SMS}
As both voice and messages are encrypted under the same $K_c$, an attacker that
has hijacked a call, could as easily control the content of an SMS message. He
could choose to only eavesdrop, but also to alter messages sent to and from the
victim's phone, or even stop the message from being sent/received altogether.

\subsection{Call theft}
In this scenario the attacker impersonates the victim's mobile phone and can
make outgoing calls on the victim's expense. As mentioned earlier, the attacker
can deploy an attack that uses the victim's mobile phone as an oracle for
obtaining the $SRES$ value and $K_c$ for a given $RAND$. When the network asks
for authentication, the attacker performs an outgoing call to the network
in parallel and relays the authentication request to the victim's phone. When
the phone replies, the attacker relays the message back to the network, and
closes the session with the victim's phone.

One of the reasons this is possible is because most operators choose to
incorporate the weaker COMP128 in the authentication procedures if $A3A8$
discussed earlier.
